1、ConfigMap的配置
1.1 ConfigMap介绍
- ConfigMap 是一种 API 对象,用来将非机密性的数据保存到键值对中。使用时, Pod 可以将其用作环境变量、命令行参数或者存储卷中的配置文件。
- ConfigMap 将你的环境配置信息和容器镜像解耦,便于应用配置的修改。
- 注意:
ConfigMap 并不提供保密或者加密功能。 如果你想存储的数据是机密的,请使用 Secret, 或者使用其他第三方工具来保证你的数据的私密性,而不是用 ConfigMap。
1.2 ConfigMap 创建
- 使用 kubectl create configmap -h 查看演示例子
Examples:
# Create a new config map named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new config map named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new config map named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
1.2.1 查看下k8s已经创建好的configmap
可以看到这个信息是存储的一个key信息
[root@k8s-master configmap]# kubectl get configmaps
NAME DATA AGE
kube-root-ca.crt 1 6d1h
[root@k8s-master configmap]# kubectl describe configmaps kube-root-ca.crt
Name: kube-root-ca.crt
Namespace: default
Labels: <none>
Annotations: kubernetes.io/description:
Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubern...
Data
====
ca.crt:
----
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTI0MDIxOTE0MDQyNloXDTM0MDIxNjE0MDQyNlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL31
nYOmoFp9g1nfaVmuIIRJzwlCU9EGevBi/HnpSpdaW56cGuF1MqVJWhHCUcvN6sA/
9rlXOM7JS1SxN+gdO7e3WlW1e5iMTTj+63riA5tDcOv8kOPI72vgz026fK75tueW
IxD0VT1SM5fcY0H1bKvlxdr8Wxp57vxqtWX5lkJ71Xgf7Ur0L+cXwn7CiADiYAuK
nOMkc+JSYAuTeRN1eVfnjB9EvHZ3CFpSBYk2wvjqQwFwECwfoagIY9LvRzAK+P6+
NOuFXoreLgJ1kOhjGvJJ8G8vDq7483Foy90F/NqVTfy455ii4RMEZz32q5/1il0l
E4n9f2pfsaAUXMU5R+UCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFPsTxB9wcuNswaTSxefPqK83boaXMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAEnbP3FV6/jGmSdR2s9B
CsEGHDAb9rCzE8kwodx2+N4jI/upFq0QSg+rYDXWpCX/pas3Y2Dp9CGt5b854Vmy
o3wI8FzDMHzeUsaeJlo99tWG2XeJ7tQ4uc+gWp11guPHHsCF+FtAfwTbWucwjvWh
MAfFXRx+H67d0patTpWoC0f4hMNsjCHv4WDrjzLWIh0WIJT41+st4YxAwJGeXxah
4ODzXuomahvh36NFkjCPy1VHzYLi3PjQ+YwggCL2OMrwLe/EdzzA3eZVNDkcsqOi
WEjR2HGj+QWdE7nMLRUzlTtxz6AIjBfugyV3a/XSiXaCt5CRSKeLiCCCY58INtMa
JDU=
-----END CERTIFICATE-----
BinaryData
====
Events: <none>
1.2.2 指定目录进行创建:kubectl create configmap my-config --from-file=path/to/bar
[root@k8s-master configmap]# cat db.properties
user: root
passwd: 123456
host: 127.0.0.1
[root@k8s-master configmap]# cat host.properties
k8s-master: 10.10.10.100
k8s-node-01: 10.10.10.177
k8s-node-02: 10.10.10.113
[root@k8s-master configmap]# kubectl create configmap my-config-test1 --from-file=/root/configmap/
configmap/my-config-test1 created
[root@k8s-master configmap]# kubectl describe configmaps my-config-test1
Name: my-config-test1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
db.properties:
----
user: root
passwd: 123456
host: 127.0.0.1
host.properties:
----
k8s-master: 10.10.10.100
k8s-node-01: 10.10.10.177
k8s-node-02: 10.10.10.113
BinaryData
====
Events: <none>
1.2.3 指定文件进行创建:kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt
–from-file=key1=/path/to/bar/file1.txt
这里的key1相当于是给指定的这个文件进行改名
[root@k8s-master configmap]# kubectl create configmap my-config-test2 --from-file=mykey=db.properties
configmap/my-config-test2 created
[root@k8s-master configmap]# kubectl describe configmaps my-config-test2
Name: my-config-test2
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
mykey:
----
user: root
passwd: 123456
host: 127.0.0.1
BinaryData
====
Events: <none>
1.2.4 通过命令行创建:kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
[root@k8s-master configmap]# kubectl create configmap my-config-test3 --from-literal=name=school --from-literal=id=bj
configmap/my-config-test3 created
[root@k8s-master configmap]# kubectl describe configmaps my-config-test3
Name: my-config-test3
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
id:
----
bj
name:
----
school
BinaryData
====
Events: <none>
[root@k8s-master configmap]#
1.3 ConfigMap的使用
创建一个configmap的资源,在创建一个pod,把这个configmap的资源加载到pod里。
1.3.1 创建configmap
root@k8s-master configmap]# kubectl create configmap env-test --from-literal=JAVA_HOME='/usr/local/jdk1.8/' --from-literal=Name='您好~'
configmap/env-test created
[root@k8s-master configmap]# kubectl describe configmaps env-test
Name: env-test
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
JAVA_HOME:
----
/usr/local/jdk1.8/
Name:
----
您好~
BinaryData
====
Events: <none>
1.3.2 创建pod资源
apiVersion: v1
kind: Pod
metadata:
name: test-env-cm
spec:
containers:
- name: env-test
image: alpine
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","env ; sleep 3600"]
env:
- name: JAVA_HOME_VM
valueFrom:
configMapKeyRef:
name: env-test # configmap的名字
key: JAVA_HOME # 表示从name的configmap种获取名字为key的value,将其赋值给本地环境变量 JAVA_HOME_VM
- name: Name_VM
valueFrom:
configMapKeyRef:
name: env-test
key: Name
restartPolicy: Never
[root@k8s-master configmap]# kubectl create -f env-test.yaml
pod/test-env-cm created
[root@k8s-master configmap]# kubectl get po
NAME READY STATUS RESTARTS AGE
dns-test 1/1 Running 1 (45h ago) 45h
fluentd-59k8k 1/1 Running 0 27h
fluentd-hhtls 1/1 Running 0 27h
nginx-deploy-fdd948cf4-69b85 1/1 Running 0 23h
nginx-deploy-fdd948cf4-r8ktj 1/1 Running 0 27h
test-env-cm 1/1 Running 0 21s
1.3.3 通过日志查看刚才的configmap信息是否在env中
1.3.4 通过volumes 加载configmap
apiVersion: v1
kind: Pod
metadata:
name: test-configfile-po
spec:
containers:
- name: env-test
image: alpine
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","env ; sleep 3600"]
env:
- name: JAVA_HOME_VM
valueFrom:
configMapKeyRef:
name: env-test # configmap的名字
key: JAVA_HOME # 表示从name的configmap种获取名字为key的value,将其赋值给本地环境变量 JAVA_HOME_VM
- name: Name_VM
valueFrom:
configMapKeyRef:
name: env-test
key: Name
volumeMounts: # 加载数据卷
- name: db-config # 加载数据卷的名字
mountPath: "/opt/test/" #将数据卷加载到什么目录
readOnly: true # 是否只读
volumes: # 数据卷挂载configmap、secret
- name: db-config #数据卷的名字,随意设置
configMap: # 数据卷类型为ConfigMap
name: my-config-test1 #configMap的名字,必须跟想要加载的configmap相同
items: #对configmap中的key进行映射,如果不指定,默认会讲configmap中所有 key全部转换为一个个同名的文件
- key: "db.properties" # configMap中的key
path: "db,properties"#将该key的值转换为文件
restartPolicy: Never
通过以下容器内的文件信息可以看到,上文创建的yaml文件中对my-config-test1这个configmap种的iterm进行了定义,但是我们的这个configmap配置文件中包含了两个文件,iterms中只加载了db,并没有加载hosts。容器中的文件只有db,没有hosts。
如果不定义iterms,name就会加载全部信息。
[root@k8s-master configmap]# kubectl create -f test-file-po.yaml
pod/test-configfile-po created
[root@k8s-master configmap]# kubectl get po
NAME READY STATUS RESTARTS AGE
dns-test 1/1 Running 1 (45h ago) 45h
fluentd-59k8k 1/1 Running 0 28h
fluentd-hhtls 1/1 Running 0 28h
nginx-deploy-fdd948cf4-69b85 1/1 Running 0 23h
nginx-deploy-fdd948cf4-r8ktj 1/1 Running 0 27h
test-configfile-po 1/1 Running 0 7s
[root@k8s-master configmap]# kubectl exec -it test-configfile-po -- sh
/ # cd /opt/test/
/opt/test # ll
sh: ll: not found
/opt/test # ls
db,properties
/opt/test # cat db,properties
user: root
passwd: 123456
host: 127.0.0.1
/opt/test # echo $JAVA_HOME_VM
/usr/local/jdk1.8/
/opt/test # echo $Name_Vm
/opt/test # echo $Name_VM
您好~
2、 加密数据配置Secret
2.1 Secret 介绍
- 与ConfigMap类似,用于存储配置信息,但是主要用于存储敏感信息、需要加密的信息,Secret可以提供数据加密、解密功能。
- 在创建Secret时,要注意如果要加密的字符中,包含了有特殊字符,需耍使用转义符转移。eg: $ 转移后为"转移符号\加上$",
- 也可以对特殊字符使用单引号描述,这样就不需要转义。
- eg:1$289*-! 转换为 "1$289*-! "
- 场景使用:多用于docker镜像私有仓库的使用。
- 加密方式为base64,可以通过 “echo “xxxx”| base64 --decode” 解密
2.2 Secret的创建
可以通过查询kubectl create secret -h命令查询secret的创建
[root@k8s-master ~]# kubectl create secret -h
Create a secret using specified subcommand.
Available Commands:
docker-registry 创建一个给 Docker registry 使用的 Secret
generic Create a secret from a local file, directory, or literal value
tls 创建一个 TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
2.2.1 创建secret资源
通过下面的命令就可以创建secret了。
[root@k8s-master ~]# kubectl create secret -h
Create a secret using specified subcommand.
Available Commands:
docker-registry 创建一个给 Docker registry 使用的 Secret
generic Create a secret from a local file, directory, or literal value
tls 创建一个 TLS secret
Usage:
kubectl create secret [flags] [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
[root@k8s-master ~]# kubectl create secret generic test-secrete --from-literal=username=admin --from-literal=password='12123421'
secret/test-secrete created
2.2.2 通过describe查看secret的描述
[root@k8s-master ~]# kubectl describe secrets test-secrete
Name: test-secrete
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
password: 8 bytes
username: 5 bytes
2.2.3 通过edit 查看secret的信息
k8s-master Ready control-plane 6d14h v1.25.0
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
password: MTIxMjM0MjE=
username: YWRtaW4=
kind: Secret
metadata:
creationTimestamp: "2024-02-26T04:28:18Z"
name: test-secrete
namespace: default
resourceVersion: "519877"
uid: 8c981ce2-7cb2-4030-8fdd-b496ae72a4fa
type: Opaque
2.2.4 通过base64反编译这个信息
通过base64 反编译出原信息,可以看到这种加密方式不是很安全
[root@k8s-master ~]# echo "MTIxMjM0MjE=" | base64 --decode
12123421
[root@k8s-master ~]# echo "YWRtaW4=" | base64 --decode
admin
2.3 secret的使用
2.3.1 创建一个docke-registry的secret
[root@k8s-master ~]# kubectl create secret docker-registry docker-test-secret --docker-username='lianhetiyu@1949945210135676' --docker-password='Lanhe@123456' --docker-email='admin@test.com' --docker-server='registry.cn-hangzhou.aliyuncs.com'
secret/docker-test-secret created
[root@k8s-master ~]# kubectl describe sercet docker-test-secret
error: the server doesn't have a resource type "sercet"
[root@k8s-master ~]# kubectl describe secret docker-test-secret
Name: docker-test-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockerconfigjson
Data
====
.dockerconfigjson: 215 bytes
[root@k8s-master ~]# kubectl edit secrets test-secrete
Edit cancelled, no changes made.
[root@k8s-master ~]#
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
.dockerconfigjson: ey89JhdXRocyI6eyJyZWdpc3RyeS5jbi1oYW5nemhvdS5hbGl5dW5jcy5jb20iOnsidXNlcm5hbWUiOiJsaWFuaGV0aXl1X3doZEAxOTQ5OTQ1MjEwMTM1Njc2IiwicGFzc3dvcmQiOiJMYW5oZUAxMjM0NTYiLCJlbWFpbCI6ImFkbWluQHRlc3QuY29tIiwiYXV0aCI6ImJHbGhibWhsZEdsNWRWOTNhR1JBTVRrME9UazBOVEl4TURFek5UWTNOanBNWVc1b1pVQXhNak0wTlRZPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2024-02-26T06:28:49Z"
name: docker-test-secret
namespace: default
resourceVersion: "530968"
uid: d31bb3f3-6111-4848-ab51-a894df2f1be1
type: kubernetes.io/dockerconfigjson
2.3.2 创建一个拉取镜像的新pod
apiVersion: v1
kind: Pod
metadata:
name: test-configfile-po
spec:
imagePullSecrets: # 配置docke仓库:docker registry 的 secret
- name: docker-test-secret
containers:
- name: env-test
image: alpine
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","env ; sleep 3600"]
env:
- name: JAVA_HOME_VM
valueFrom:
configMapKeyRef:
name: env-test # configmap的名字
key: JAVA_HOME # 表示从name的configmap种获取名字为key的value,将其赋值给本地环境变量 JAVA_HOME_VM
- name: Name_VM
valueFrom:
configMapKeyRef:
name: env-test
key: Name
restartPolicy: Never
2.3.3 可以通过容器的描述引用了secret资源下载镜像
[root@k8s-master configmap]# kubectl create -f test-docker-po.yaml
pod/test-configfile-po created
[root@k8s-master configmap]# kubectl get po test-configfile-po
NAME READY STATUS RESTARTS AGE
test-configfile-po 1/1 Running 0 2m57s
[root@k8s-master configmap]# kubectl describe po test-configfile-po
Name: test-configfile-po
Namespace: default
Priority: 0
Service Account: default
Node: k8s-node-02/10.10.10.113
Start Time: Mon, 26 Feb 2024 16:28:01 +0800
Labels: <none>
Annotations: <none>
Status: Running
IP: 10.2.1.64
IPs:
IP: 10.2.1.64
Containers:
env-test:
Container ID: docker://cbcb9ece8da46b593a766c8d0d0247e3a02a0316ba24164e3ce3d5d8bf823829
Image: registry.cn-hangzhou.aliyuncs.com/lhty/controller:2.1
Image ID: docker-pullable://registry.cn-hangzhou.aliyuncs.com/lhty/controller@sha256:96f3490f6b7693caad23f2ce143d0e23516527edcd3448589cb9498011ba19c3
Port: <none>
Host Port: <none>
Command:
/bin/sh
-c
env ; sleep 3600
State: Running
Started: Mon, 26 Feb 2024 16:29:12 +0800
Ready: True
Restart Count: 0
Environment:
JAVA_HOME_VM: <set to the key 'JAVA_HOME' of config map 'env-test'> Optional: false
Name_VM: <set to the key 'Name' of config map 'env-test'> Optional: false
Mounts:
/opt/test/ from db-config (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-nwsh6 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
db-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: my-config-test1
Optional: false
kube-api-access-nwsh6:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 75s default-scheduler Successfully assigned default/test-configfile-po to k8s-node-02
Normal Pulling 75s kubelet Pulling image "registry.cn-hangzhou.aliyuncs.com/lhty/controller:2.1"
Normal Pulled 6s kubelet Successfully pulled image "registry.cn-hangzhou.aliyuncs.com/lhty/controller:2.1" in 1m8.912792712s
Normal Created 5s kubelet Created container env-test
Normal Started 5s kubelet Started container env-test
通过docker images,可以看到有刚才通过阿里云仓库拉取的镜像
3、SubPath的使用
场景需求:把nginx中的conf文件制作为一个configmap,后续想改动nginx的配置文件,我们只需要更新这个configmap即可,不需要重新登录进nginx容器内修改conf文件。但是
3.1 为什么需要使用SubPath?
使用configmap加载的文件到容器内目录后,如果原先有这个目录,会直接覆盖原先的目录,原先目录中的内容会丢失。
3.1.1 创建一个nginx配置文件的configmap
# 拿到容器中的nginx配置文件
root@k8s-master configmap]# kubectl exec nginx-deploy-fdd948cf4-69b85 -it -- sh -c "cat /etc/nginx/nginx.conf" > nginx-conf-cm.conf
## 创建这个configmap
[root@k8s-master configmap]# kubectl create cm nginx-conf-cm --from-file nginx-conf-cm.conf
configmap/nginx-conf-cm created
[root@k8s-master configmap]# kubectl describe cm nginx-conf-cm
Name: nginx-conf-cm
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
nginx-conf-cm.conf:
----
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
BinaryData
====
Events: <none>
3.1.2 修改deploy信息
nginx的pod是通过deployment创建的,所以只需要修改deployment信息就可以更新nginx了。
[root@k8s-master configmap]# kubectl get deployments.apps
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deploy 2/2 2 2 43h
[root@k8s-master configmap]# kubectl get po
NAME READY STATUS RESTARTS AGE
dns-test 1/1 Running 2 (5h14m ago) 2d14h
fluentd-59k8k 1/1 Running 1 (5h14m ago) 44h
fluentd-hhtls 1/1 Running 1 (5h14m ago) 44h
nginx-deploy-fdd948cf4-69b85 1/1 Running 1 (5h14m ago) 40h
nginx-deploy-fdd948cf4-r8ktj 1/1 Running 1 (5h14m ago) 43h
test-configfile-po 1/1 Running 0 18m
## 通过edit deploy nginx-deploy文件添加如下内容,如下内容需要和 containers 同一级别。
containers
command: ['/bin/sh','-c','nginx daemon off; sleep 3600'] # 为了防止容器启动失败。
volumesMounts:
- name: nginx-conf
mountPath: '/etc/nginx'
volumes:
- name: nginx-conf
configMap:
- name: nginx-conf-cm # configmap的名字
items:
- key: nginx-conf-cm.conf # configmap种文件的名字
path: nginx.conf
3.1.3 查看更新后过的nginx pod
[root@k8s-master configmap]# kubectl get po
NAME READY STATUS RESTARTS AGE
dns-test 1/1 Running 2 (5h57m ago) 2d14h
fluentd-59k8k 1/1 Running 1 (5h58m ago) 45h
fluentd-hhtls 1/1 Running 1 (5h57m ago) 45h
nginx-deploy-7d6db4657b-7pzc2 1/1 Running 0 38s
nginx-deploy-7d6db4657b-qq8sc 1/1 Running 0 40s
test-configfile-po 0/1 Completed 0 62m
[root@k8s-master configmap]# kubectl describe po nginx-deploy-7d6db4657b-7pzc2
Name: nginx-deploy-7d6db4657b-7pzc2
Namespace: default
Priority: 0
Service Account: default
Node: k8s-node-01/10.10.10.177
Start Time: Mon, 26 Feb 2024 17:29:41 +0800
Labels: app=nginx-deploy
pod-template-hash=7d6db4657b
Annotations: <none>
Status: Running
IP: 10.2.2.39
IPs:
IP: 10.2.2.39
Controlled By: ReplicaSet/nginx-deploy-7d6db4657b
Containers:
nginx:
Container ID: docker://6b349ede9bb23d51add64c24b28bab4a5df2804ea7bbe0e5efdcc97ba405a005
Image: nginx:1.20
Image ID: docker-pullable://nginx@sha256:03f3cb0afb7bd5c76e01bfec0ce08803c495348dccce37bcb82c347b4853c00b
Port: <none>
Host Port: <none>
Command:
/bin/sh
-c
nginx daemon off; sleep 3600
State: Running
Started: Mon, 26 Feb 2024 17:29:42 +0800
Ready: True
Restart Count: 0
Limits:
cpu: 200m
memory: 128Mi
Requests:
cpu: 100m
memory: 128Mi
Environment: <none>
Mounts:
/etc/nginx/ from nginx-conf (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9xskq (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
nginx-conf:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: nginx-conf-cm
Optional: false
kube-api-access-9xskq:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 85s default-scheduler Successfully assigned default/nginx-deploy-7d6db4657b-7pzc2 to k8s-node-01
Normal Pulled 85s kubelet Container image "nginx:1.20" already present on machine
Normal Created 85s kubelet Created container nginx
Normal Started 85s kubelet Started container nginx
3.1.4 /etc/nginx/ 这个路径下只有一个nginx的配置文件,其他文件全部没了
[root@k8s-master configmap]# kubectl exec -it nginx-deploy-7d6db4657b-7pzc2 -- sh -c 'ls /etc/nginx/'
nginx.conf
[root@k8s-master configmap]# kubectl exec -it nginx-deploy-7d6db4657b-7pzc2 -- sh -c 'cat /etc/nginx/nginx.conf'
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
3.2 如何使用SubPath?
- 1、定义volumes时需要增加items属性,配置key和path,且path的值不能从/开始
- 2、在容器内的volumeMounts中增加subPath黑性,该值与volumes中tems.path的值相同。
3.2.1 修改deploy,添加subPath
3.2.2 在进容器查看下/etc/nginx目录内容
4、配置的热更新
我们通常会将项目的配置文件作为configmap然后挂载到pod,那么如果更新configmap中的配置,会不会更新到pod中呢?
这得分成几种情况:
默认方式:会更新,更新同期是更新间+缓存时间
subPath:不会更新
变量形式:如果pod中的一个变量是从configmap或secret中得到,同样也是不会更新的。
对于subPath的方式,我们可以取消subPath的使用,将配置文件挂载到一个不存在的目录,避免目录的夏盖,然后再利用软连接的形式,将该文件链接到目标位置。
4.1 通过edit 命令直接修改configmap
4.1.1 创建一个pod
apiVersion: v1
kind: Pod
metadata:
name: configfile-po
spec:
containers:
- name: configmap-po
image: alpine
imagePullPolicy: IfNotPresent
command: ["/bin/sh","-c","env ; sleep 3600"]
volumeMounts: # 加载数据卷
- name: db-config # 加载数据卷的名字
mountPath: "/opt/test/" #将数据卷加载到什么目录
readOnly: true # 是否只读
volumes: # 数据卷挂载configmap、secret
- name: db-config #数据卷的名字,随意设置
configMap: # 数据卷类型为ConfigMap
name: my-config-test1 #configMap的名字,必须跟想要加载的configmap相同
items: #对configmap中的key进行映射,如果不指定,默认会讲configmap中所有 key全部转换为一个个同名的文件
- key: "db.properties" # configMap中的key
path: "db.txt" # 将该key的值转换为文件
restartPolicy: Never
[root@k8s-master configmap]# kubectl get cm
NAME DATA AGE
env-test 2 18h
kube-root-ca.crt 1 6d20h
my-config-test1 2 18h
my-config-test3 2 18h
nginx-conf-cm 1 102m
[root@k8s-master configmap]# kubectl create -f configfile-po.yaml
pod/configfile-po created
[root@k8s-master configmap]# kubectl get po
NAME READY STATUS RESTARTS AGE
configfile-po 1/1 Running 0 20s
dns-test 1/1 Running 2 (6h53m ago) 2d15h
fluentd-59k8k 1/1 Running 1 (6h53m ago) 46h
fluentd-hhtls 1/1 Running 1 (6h53m ago) 46h
nginx-deploy-6fb8d6548-8khhv 1/1 Running 0 31m
nginx-deploy-6fb8d6548-fd9tx 1/1 Running 0 31m
[root@k8s-master configmap]# kubectl exec -it configfile-po -- sh -c 'cat /opt/test/db.txt '
user: root
passwd: 123456
host: 127.0.0.1
4.1.2 通过edit编辑my-config-test1,给configmap中添加一条信息
4.1.3 查看容器中的内容更新情况(需要等一段时间才会更新)
[root@k8s-master configmap]# kubectl exec -it configfile-po -- sh -c 'cat /opt/test/db.txt '
user: root
passwd: 123456
host: 127.0.0.1
date: '2024-02-26'
4.2 通过replace进行更新
由于conigmap我们创建通常都是基于文件创建,并不会编写yaml配置文件,因比修改时我们也是直接修改配置文件,而replace是没有 --from-file 参数的,因此无法实现基于源配置文件的替换,此时我们可以利用下方的命令实现
该命令的重点在于 --dry-run 参数,该参数的意思打印yaml文件,但不会将该文件发送给api-server,再结合 -o yaml输出yaml文件就可以得到一个配置好但是没有发给api-server的文件,然后再结合replace监听控制台得到yaml数据即可实现替换。
kubectl create cm --from-file=nginx.conf --dry-run -o yaml | kubectl replace-f-
4.2.1 更新需要添加到configmap的文件
[root@k8s-master configmap]# echo 'service: test' >> ./file/db.properties
4.2.2 通过 kubectl create cm --from-file=nginx.conf --dry-run -o yaml | kubectl replace-f- 更新configmap
[root@k8s-master configmap]# kubectl create cm my-config-test1 --from-file=./file/ --dry-run -o yaml
W0226 21:19:22.889508 89629 helpers.go:639] --dry-run is deprecated and can be replaced with --dry-run=client.
apiVersion: v1
data:
db.properties: |
user: root
passwd: 123456
host: 127.0.0.1
service: test
host.properties: |
k8s-master: 10.10.10.100
k8s-node-01: 10.10.10.177
k8s-node-02: 10.10.10.113
kind: ConfigMap
metadata:
creationTimestamp: null
name: my-config-test1
[root@k8s-master configmap]# kubectl create cm my-config-test1 --from-file=./file/ --dry-run -o yaml | kubectl replace -f-
W0226 21:21:09.680288 90368 helpers.go:639] --dry-run is deprecated and can be replaced with --dry-run=client.
configmap/my-config-test1 replaced
[root@k8s-master configmap]#
4.2.3 查看configmap
[root@k8s-master configmap]# kubectl describe cm my-config-test1
Name: my-config-test1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
db.properties:
----
user: root
passwd: 123456
host: 127.0.0.1
service: test
host.properties:
----
k8s-master: 10.10.10.100
k8s-node-01: 10.10.10.177
k8s-node-02: 10.10.10.113
BinaryData
====
Events: <none>
4.2.4 查看容器内文件,已经更新
[root@k8s-master configmap]# kubectl exec -it configfile-po -- sh -c 'cat /opt/test/db.txt'
user: root
passwd: 123456
host: 127.0.0.1
service: test
5、不可变的configmap和secret
- 对于一些敏感服务的配置文件,在线上有时是不允许修改的,此时在配置configmap时可以设置 immutable:true 来禁止修改
5.1 查看之前创建的my-confgi-test1这个configmap配置
[root@k8s-master configmap]# kubectl describe cm my-config-test1
Name: my-config-test1
Namespace: default
Labels: <none>
Annotations: <none>
Data
====
db.properties:
----
user: root
passwd: 123456
host: 127.0.0.1
service: test
host.properties:
----
k8s-master: 10.10.10.100
k8s-node-01: 10.10.10.177
k8s-node-02: 10.10.10.113
BinaryData
====
Events: <none>
5.2 通过kubectl edit cm my-config-test1 添加 immutable: true
5.3 再次通过edit修改文件,发现已经无法更改文件了